1
/*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
2
/*-
3
 * The authors of this code are John Ioannidis ([email protected]),
4
 * Angelos D. Keromytis ([email protected]) and
5
 * Niels Provos ([email protected]).
6
 *
7
 * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
8
 * in November 1995.
9
 *
10
 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
11
 * by Angelos D. Keromytis.
12
 *
13
 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
14
 * and Niels Provos.
15
 *
16
 * Additional features in 1999 by Angelos D. Keromytis.
17
 *
18
 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
19
 * Angelos D. Keromytis and Niels Provos.
20
 * Copyright (c) 2001, Angelos D. Keromytis.
21
 * Copyright (c) 2016 Andrey V. Elsukov <[email protected]>
22
 *
23
 * Permission to use, copy, and modify this software with or without fee
24
 * is hereby granted, provided that this entire notice is included in
25
 * all copies of any software which is or includes a copy or
26
 * modification of this software.
27
 * You may use this code under the GNU public license if you so wish. Please
28
 * contribute changes back to the authors under this freer than GPL license
29
 * so that we may further the use of strong encryption without limitations to
30
 * all.
31
 *
32
 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
33
 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
34
 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
35
 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
36
 * PURPOSE.
37
 */
38

39
/*
40
 * IPsec input processing.
41
 */
42

43
#include <sys/cdefs.h>
44
#include "opt_inet.h"
45
#include "opt_inet6.h"
46
#include "opt_ipsec.h"
47

48
#include <sys/param.h>
49
#include <sys/systm.h>
50
#include <sys/malloc.h>
51
#include <sys/mbuf.h>
52
#include <sys/domain.h>
53
#include <sys/protosw.h>
54
#include <sys/socket.h>
55
#include <sys/errno.h>
56
#include <sys/hhook.h>
57
#include <sys/stdarg.h>
58
#include <sys/syslog.h>
59

60
#include <net/if.h>
61
#include <net/if_var.h>
62
#include <net/if_enc.h>
63
#include <net/if_private.h>
64
#include <net/netisr.h>
65
#include <net/vnet.h>
66

67
#include <netinet/in.h>
68
#include <netinet/in_pcb.h>
69
#include <netinet/in_systm.h>
70
#include <netinet/ip.h>
71
#include <netinet/ip_var.h>
72
#include <netinet/ip_icmp.h>
73
#include <netinet/in_var.h>
74
#include <netinet/tcp_var.h>
75

76
#include <netinet/ip6.h>
77
#ifdef INET6
78
#include <netinet6/ip6_var.h>
79
#endif
80
#include <netinet/in_pcb.h>
81
#ifdef INET6
82
#include <netinet/icmp6.h>
83
#endif
84

85
#include <netipsec/ipsec.h>
86
#ifdef INET6
87
#include <netipsec/ipsec6.h>
88
#endif
89
#include <netipsec/ipsec_support.h>
90
#include <netipsec/ah_var.h>
91
#include <netipsec/esp.h>
92
#include <netipsec/esp_var.h>
93
#include <netipsec/ipcomp_var.h>
94
#include <netipsec/ipsec_offload.h>
95

96
#include <netipsec/key.h>
97
#include <netipsec/keydb.h>
98
#include <netipsec/key_debug.h>
99

100
#include <netipsec/xform.h>
101

102
#include <machine/in_cksum.h>
103

104
#define	IPSEC_ISTAT(proto, name)	do {	\
105
	if ((proto) == IPPROTO_ESP)		\
106
		ESPSTAT_INC(esps_##name);	\
107
	else if ((proto) == IPPROTO_AH)		\
108
		AHSTAT_INC(ahs_##name);		\
109
	else					\
110
		IPCOMPSTAT_INC(ipcomps_##name);	\
111
} while (0)
112

113
/*
114
 * ipsec_common_input gets called when an IPsec-protected packet
115
 * is received by IPv4 or IPv6.  Its job is to find the right SA
116
 * and call the appropriate transform.  The transform callback
117
 * takes care of further processing (like ingress filtering).
118
 */
119
static int
120
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
121
{
122
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
123
	union sockaddr_union dst_address;
124
	struct secasvar *sav;
125
	uint32_t spi;
126
	int error;
127

128
	IPSEC_ISTAT(sproto, input);
129

130
	IPSEC_ASSERT(m != NULL, ("null packet"));
131

132
	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
133
		sproto == IPPROTO_IPCOMP,
134
		("unexpected security protocol %u", sproto));
135

136
	if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
137
	    (sproto == IPPROTO_AH && !V_ah_enable) ||
138
	    (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
139
		m_freem(m);
140
		IPSEC_ISTAT(sproto, pdrops);
141
		return EOPNOTSUPP;
142
	}
143

144
	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
145
		m_freem(m);
146
		IPSEC_ISTAT(sproto, hdrops);
147
		DPRINTF(("%s: packet too small\n", __func__));
148
		return EINVAL;
149
	}
150

151
	/* Retrieve the SPI from the relevant IPsec header */
152
	if (sproto == IPPROTO_ESP)
153
		m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
154
	else if (sproto == IPPROTO_AH)
155
		m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
156
		    (caddr_t) &spi);
157
	else if (sproto == IPPROTO_IPCOMP) {
158
		u_int16_t cpi;
159
		m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
160
		    (caddr_t) &cpi);
161
		spi = ntohl(htons(cpi));
162
	}
163

164
	/*
165
	 * Find the SA and (indirectly) call the appropriate
166
	 * kernel crypto routine. The resulting mbuf chain is a valid
167
	 * IP packet ready to go through input processing.
168
	 */
169
	bzero(&dst_address, sizeof (dst_address));
170
	dst_address.sa.sa_family = af;
171
	switch (af) {
172
#ifdef INET
173
	case AF_INET:
174
		dst_address.sin.sin_len = sizeof(struct sockaddr_in);
175
		m_copydata(m, offsetof(struct ip, ip_dst),
176
		    sizeof(struct in_addr),
177
		    (caddr_t) &dst_address.sin.sin_addr);
178
		break;
179
#endif /* INET */
180
#ifdef INET6
181
	case AF_INET6:
182
		dst_address.sin6.sin6_len = sizeof(struct sockaddr_in6);
183
		m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
184
		    sizeof(struct in6_addr),
185
		    (caddr_t) &dst_address.sin6.sin6_addr);
186
		/* We keep addresses in SADB without embedded scope id */
187
		if (IN6_IS_SCOPE_LINKLOCAL(&dst_address.sin6.sin6_addr)) {
188
			/* XXX: sa6_recoverscope() */
189
			dst_address.sin6.sin6_scope_id =
190
			    ntohs(dst_address.sin6.sin6_addr.s6_addr16[1]);
191
			dst_address.sin6.sin6_addr.s6_addr16[1] = 0;
192
		}
193
		break;
194
#endif /* INET6 */
195
	default:
196
		DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
197
		m_freem(m);
198
		IPSEC_ISTAT(sproto, nopf);
199
		return EPFNOSUPPORT;
200
	}
201

202
	/* NB: only pass dst since key_allocsa follows RFC2401 */
203
	sav = key_allocsa(&dst_address, sproto, spi);
204
	if (sav == NULL) {
205
		DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
206
		    __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
207
		    (u_long) ntohl(spi), sproto));
208
		IPSEC_ISTAT(sproto, notdb);
209
		m_freem(m);
210
		return ENOENT;
211
	}
212

213
	if (sav->tdb_xform == NULL) {
214
		DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
215
		    __func__, ipsec_address(&dst_address, buf, sizeof(buf)),
216
		    (u_long) ntohl(spi), sproto));
217
		IPSEC_ISTAT(sproto, noxform);
218
		key_freesav(&sav);
219
		m_freem(m);
220
		return ENXIO;
221
	}
222

223
	/*
224
	 * Call appropriate transform and return -- callback takes care of
225
	 * everything else.
226
	 */
227
	error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
228
	return (error);
229
}
230

231
#ifdef INET
232
/*
233
 * IPSEC_INPUT() method implementation for IPv4.
234
 *  0 - Permitted by inbound security policy for further processing.
235
 *  EACCES - Forbidden by inbound security policy.
236
 *  EINPROGRESS - consumed by IPsec.
237
 */
238
int
239
ipsec4_input(struct mbuf *m, int offset, int proto)
240
{
241
	int error;
242

243
	error = ipsec_accel_input(m, offset, proto);
244
	if (error != ENXIO)
245
		return (error);
246

247
	switch (proto) {
248
	case IPPROTO_AH:
249
	case IPPROTO_ESP:
250
	case IPPROTO_IPCOMP:
251
		/* Do inbound IPsec processing for AH/ESP/IPCOMP */
252
		ipsec_common_input(m, offset,
253
		    offsetof(struct ip, ip_p), AF_INET, proto);
254
		return (EINPROGRESS); /* mbuf consumed by IPsec */
255
	default:
256
		/*
257
		 * Protocols with further headers get their IPsec treatment
258
		 * within the protocol specific processing.
259
		 */
260
		switch (proto) {
261
		case IPPROTO_ICMP:
262
		case IPPROTO_IGMP:
263
		case IPPROTO_IPV4:
264
		case IPPROTO_IPV6:
265
		case IPPROTO_RSVP:
266
		case IPPROTO_GRE:
267
		case IPPROTO_MOBILE:
268
		case IPPROTO_ETHERIP:
269
		case IPPROTO_PIM:
270
		case IPPROTO_SCTP:
271
			break;
272
		default:
273
			return (0);
274
		}
275
	};
276
	/*
277
	 * Enforce IPsec policy checking if we are seeing last header.
278
	 */
279
	if (ipsec4_in_reject(m, NULL) != 0) {
280
		/* Forbidden by inbound security policy */
281
		m_freem(m);
282
		return (EACCES);
283
	}
284
	return (0);
285
}
286

287
int
288
ipsec4_ctlinput(ipsec_ctlinput_param_t param)
289
{
290
	struct icmp *icp = param.icmp;
291
	struct ip *ip = &icp->icmp_ip;
292
	struct sockaddr_in icmpsrc = {
293
		.sin_len = sizeof(struct sockaddr_in),
294
		.sin_family = AF_INET,
295
		.sin_addr = ip->ip_dst,
296
	};
297
	struct in_conninfo inc;
298
	struct secasvar *sav;
299
	uint32_t pmtu, spi;
300
	uint32_t max_pmtu;
301
	uint8_t proto;
302

303
	pmtu = ntohs(icp->icmp_nextmtu);
304

305
	if (pmtu < V_ip4_ipsec_min_pmtu)
306
		return (EINVAL);
307

308
	proto = ip->ip_p;
309
	if (proto != IPPROTO_ESP && proto != IPPROTO_AH &&
310
	    proto != IPPROTO_IPCOMP)
311
		return (EINVAL);
312

313
	memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
314
	sav = key_allocsa((union sockaddr_union *)&icmpsrc, proto, spi);
315
	if (sav == NULL)
316
		return (ENOENT);
317

318
	key_freesav(&sav);
319

320
	memset(&inc, 0, sizeof(inc));
321
	inc.inc_faddr = ip->ip_dst;
322

323
	/* Update pmtu only if its smaller than the current one. */
324
	max_pmtu = tcp_hc_getmtu(&inc);
325
	if (max_pmtu == 0)
326
		max_pmtu = tcp_maxmtu(&inc, NULL);
327

328
	if (pmtu < max_pmtu)
329
		tcp_hc_updatemtu(&inc, pmtu);
330

331
	return (0);
332
}
333

334
/*
335
 * IPsec input callback for INET protocols.
336
 * This routine is called as the transform callback.
337
 * Takes care of filtering and other sanity checks on
338
 * the processed packet.
339
 */
340
int
341
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
342
    int protoff)
343
{
344
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
345
	struct epoch_tracker et;
346
	struct ipsec_ctx_data ctx;
347
	struct xform_history *xh;
348
	struct secasindex *saidx;
349
	struct m_tag *mtag;
350
	struct ip *ip;
351
	int error, prot, af, sproto, isr_prot;
352

353
	IPSEC_ASSERT(sav != NULL, ("null SA"));
354
	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
355
	saidx = &sav->sah->saidx;
356
	af = saidx->dst.sa.sa_family;
357
	IPSEC_ASSERT(af == AF_INET, ("unexpected af %u", af));
358
	sproto = saidx->proto;
359
	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
360
		sproto == IPPROTO_IPCOMP,
361
		("unexpected security protocol %u", sproto));
362

363
	if (skip != 0) {
364
		/*
365
		 * Fix IPv4 header
366
		 */
367
		if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
368
			DPRINTF(("%s: processing failed for SA %s/%08lx\n",
369
			    __func__, ipsec_address(&sav->sah->saidx.dst,
370
			    buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
371
			IPSEC_ISTAT(sproto, hdrops);
372
			error = ENOBUFS;
373
			goto bad_noepoch;
374
		}
375

376
		ip = mtod(m, struct ip *);
377
		ip->ip_len = htons(m->m_pkthdr.len);
378
		ip->ip_sum = 0;
379
		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
380
	} else {
381
		ip = mtod(m, struct ip *);
382
	}
383
	prot = ip->ip_p;
384
	/*
385
	 * Check that we have NAT-T enabled and apply transport mode
386
	 * decapsulation NAT procedure (RFC3948).
387
	 * Do this before invoking into the PFIL.
388
	 */
389
	if (sav->natt != NULL &&
390
	    (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
391
		udp_ipsec_adjust_cksum(m, sav, prot, skip);
392

393
	/*
394
	 * Needed for ipsec_run_hooks and netisr_queue_src
395
	 */
396
	NET_EPOCH_ENTER(et);
397

398
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
399
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
400
		goto bad;
401
	ip = mtod(m, struct ip *);	/* update pointer */
402

403
	/* IP-in-IP encapsulation */
404
	if (prot == IPPROTO_IPIP &&
405
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
406
		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
407
			IPSEC_ISTAT(sproto, hdrops);
408
			error = EINVAL;
409
			goto bad;
410
		}
411
		/* enc0: strip outer IPv4 header */
412
		m_striphdr(m, 0, ip->ip_hl << 2);
413
	}
414
#ifdef INET6
415
	/* IPv6-in-IP encapsulation. */
416
	else if (prot == IPPROTO_IPV6 &&
417
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
418
		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
419
			IPSEC_ISTAT(sproto, hdrops);
420
			error = EINVAL;
421
			goto bad;
422
		}
423
		/* enc0: strip IPv4 header, keep IPv6 header only */
424
		m_striphdr(m, 0, ip->ip_hl << 2);
425
	}
426
#endif /* INET6 */
427
	else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
428
		/*
429
		 * When mode is wildcard, inner protocol is IPv6 and
430
		 * we have no INET6 support - drop this packet a bit later.
431
		 * In other cases we assume transport mode. Set prot to
432
		 * correctly choose netisr.
433
		 */
434
		prot = IPPROTO_IPIP;
435
	}
436

437
	/*
438
	 * Record what we've done to the packet (under what SA it was
439
	 * processed).
440
	 */
441
	if (sproto != IPPROTO_IPCOMP) {
442
		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
443
		    sizeof(struct xform_history), M_NOWAIT);
444
		if (mtag == NULL) {
445
			DPRINTF(("%s: failed to get tag\n", __func__));
446
			IPSEC_ISTAT(sproto, hdrops);
447
			error = ENOMEM;
448
			goto bad;
449
		}
450

451
		xh = (struct xform_history *)(mtag + 1);
452
		bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
453
		xh->spi = sav->spi;
454
		xh->proto = sproto;
455
		xh->mode = saidx->mode;
456
		m_tag_prepend(m, mtag);
457
	}
458

459
	key_sa_recordxfer(sav, m);		/* record data transfer */
460

461
	/*
462
	 * In transport mode requeue decrypted mbuf back to IPv4 protocol
463
	 * handler. This is necessary to correctly expose rcvif.
464
	 */
465
	if (saidx->mode == IPSEC_MODE_TRANSPORT)
466
		prot = IPPROTO_IPIP;
467
	/*
468
	 * Re-dispatch via software interrupt.
469
	 */
470
	switch (prot) {
471
	case IPPROTO_IPIP:
472
		isr_prot = NETISR_IP;
473
		af = AF_INET;
474
		break;
475
#ifdef INET6
476
	case IPPROTO_IPV6:
477
		isr_prot = NETISR_IPV6;
478
		af = AF_INET6;
479
		break;
480
#endif
481
	default:
482
		DPRINTF(("%s: cannot handle inner ip proto %d\n",
483
			    __func__, prot));
484
		IPSEC_ISTAT(sproto, nopf);
485
		error = EPFNOSUPPORT;
486
		goto bad;
487
	}
488

489
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
490
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
491
		goto bad;
492

493
	/* Handle virtual tunneling interfaces */
494
	if (saidx->mode == IPSEC_MODE_TUNNEL)
495
		error = ipsec_if_input(m, sav, af);
496
	if (error == 0) {
497
		error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
498
		if (error) {
499
			IPSEC_ISTAT(sproto, qfull);
500
			DPRINTF(("%s: queue full; proto %u packet dropped\n",
501
			    __func__, sproto));
502
		}
503
	}
504
	NET_EPOCH_EXIT(et);
505
	key_freesav(&sav);
506
	return (error);
507
bad:
508
	NET_EPOCH_EXIT(et);
509
bad_noepoch:
510
	key_freesav(&sav);
511
	if (m != NULL)
512
		m_freem(m);
513
	return (error);
514
}
515
#endif /* INET */
516

517
#ifdef INET6
518
static bool
519
ipsec6_lasthdr(int proto)
520
{
521

522
	switch (proto) {
523
	case IPPROTO_IPV4:
524
	case IPPROTO_IPV6:
525
	case IPPROTO_GRE:
526
	case IPPROTO_ICMPV6:
527
	case IPPROTO_ETHERIP:
528
	case IPPROTO_PIM:
529
	case IPPROTO_SCTP:
530
		return (true);
531
	default:
532
		return (false);
533
	};
534
}
535

536
/*
537
 * IPSEC_INPUT() method implementation for IPv6.
538
 *  0 - Permitted by inbound security policy for further processing.
539
 *  EACCES - Forbidden by inbound security policy.
540
 *  EINPROGRESS - consumed by IPsec.
541
 */
542
int
543
ipsec6_input(struct mbuf *m, int offset, int proto)
544
{
545
	int error;
546

547
	error = ipsec_accel_input(m, offset, proto);
548
	if (error != ENXIO)
549
		return (error);
550
		
551
	switch (proto) {
552
	case IPPROTO_AH:
553
	case IPPROTO_ESP:
554
	case IPPROTO_IPCOMP:
555
		/* Do inbound IPsec processing for AH/ESP/IPCOMP */
556
		ipsec_common_input(m, offset,
557
		    offsetof(struct ip6_hdr, ip6_nxt), AF_INET6, proto);
558
		return (EINPROGRESS); /* mbuf consumed by IPsec */
559
	default:
560
		/*
561
		 * Protocols with further headers get their IPsec treatment
562
		 * within the protocol specific processing.
563
		 */
564
		if (!ipsec6_lasthdr(proto))
565
			return (0);
566
		/* FALLTHROUGH */
567
	};
568
	/*
569
	 * Enforce IPsec policy checking if we are seeing last header.
570
	 */
571
	if (ipsec6_in_reject(m, NULL) != 0) {
572
		/* Forbidden by inbound security policy */
573
		m_freem(m);
574
		return (EACCES);
575
	}
576
	return (0);
577
}
578

579
int
580
ipsec6_ctlinput(ipsec_ctlinput_param_t param)
581
{
582
	return (0);
583
}
584

585
extern ipproto_input_t	*ip6_protox[];
586

587
/*
588
 * IPsec input callback, called by the transform callback. Takes care of
589
 * filtering and other sanity checks on the processed packet.
590
 */
591
int
592
ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
593
    int protoff)
594
{
595
	IPSEC_DEBUG_DECLARE(char buf[IPSEC_ADDRSTRLEN]);
596
	struct epoch_tracker et;
597
	struct ipsec_ctx_data ctx;
598
	struct xform_history *xh;
599
	struct secasindex *saidx;
600
	struct ip6_hdr *ip6;
601
	struct m_tag *mtag;
602
	int prot, af, sproto;
603
	int nxt, isr_prot;
604
	int error, nest;
605
	uint8_t nxt8;
606

607
	IPSEC_ASSERT(sav != NULL, ("null SA"));
608
	IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
609
	saidx = &sav->sah->saidx;
610
	af = saidx->dst.sa.sa_family;
611
	IPSEC_ASSERT(af == AF_INET6, ("unexpected af %u", af));
612
	sproto = saidx->proto;
613
	IPSEC_ASSERT(sproto == IPPROTO_ESP || sproto == IPPROTO_AH ||
614
		sproto == IPPROTO_IPCOMP,
615
		("unexpected security protocol %u", sproto));
616

617
	NET_EPOCH_ENTER(et);
618

619
	/* Fix IPv6 header */
620
	if (m->m_len < sizeof(struct ip6_hdr) &&
621
	    (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
622
		DPRINTF(("%s: processing failed for SA %s/%08lx\n",
623
		    __func__, ipsec_address(&sav->sah->saidx.dst, buf,
624
		    sizeof(buf)), (u_long) ntohl(sav->spi)));
625

626
		IPSEC_ISTAT(sproto, hdrops);
627
		error = EACCES;
628
		goto bad;
629
	}
630

631
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
632
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
633
		goto bad;
634

635
	ip6 = mtod(m, struct ip6_hdr *);
636
	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
637

638
	/* Save protocol */
639
	m_copydata(m, protoff, 1, &nxt8);
640
	prot = nxt8;
641

642
	/*
643
	 * Check that we have NAT-T enabled and apply transport mode
644
	 * decapsulation NAT procedure (RFC3948).
645
	 * Do this before invoking into the PFIL.
646
	 */
647
	if (sav->natt != NULL &&
648
	    (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
649
		udp_ipsec_adjust_cksum(m, sav, prot, skip);
650

651
	/* IPv6-in-IP encapsulation */
652
	if (prot == IPPROTO_IPV6 &&
653
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
654
		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
655
			IPSEC_ISTAT(sproto, hdrops);
656
			error = EINVAL;
657
			goto bad;
658
		}
659
		/* ip6n will now contain the inner IPv6 header. */
660
		m_striphdr(m, 0, skip);
661
		skip = 0;
662
	}
663
#ifdef INET
664
	/* IP-in-IP encapsulation */
665
	else if (prot == IPPROTO_IPIP &&
666
	    saidx->mode != IPSEC_MODE_TRANSPORT) {
667
		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
668
			IPSEC_ISTAT(sproto, hdrops);
669
			error = EINVAL;
670
			goto bad;
671
		}
672
		/* ipn will now contain the inner IPv4 header */
673
		m_striphdr(m, 0, skip);
674
		skip = 0;
675
	}
676
#endif /* INET */
677
	else {
678
		prot = IPPROTO_IPV6; /* for correct BPF processing */
679
	}
680

681
	/*
682
	 * Record what we've done to the packet (under what SA it was
683
	 * processed).
684
	 */
685
	if (sproto != IPPROTO_IPCOMP) {
686
		mtag = m_tag_get(PACKET_TAG_IPSEC_IN_DONE,
687
		    sizeof(struct xform_history), M_NOWAIT);
688
		if (mtag == NULL) {
689
			DPRINTF(("%s: failed to get tag\n", __func__));
690
			IPSEC_ISTAT(sproto, hdrops);
691
			error = ENOMEM;
692
			goto bad;
693
		}
694

695
		xh = (struct xform_history *)(mtag + 1);
696
		bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
697
		xh->spi = sav->spi;
698
		xh->proto = sproto;
699
		xh->mode = saidx->mode;
700
		m_tag_prepend(m, mtag);
701
	}
702

703
	key_sa_recordxfer(sav, m);
704

705
#ifdef INET
706
	if (prot == IPPROTO_IPIP)
707
		af = AF_INET;
708
	else
709
#endif
710
		af = AF_INET6;
711
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
712
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
713
		goto bad;
714
	if (skip == 0) {
715
		/*
716
		 * We stripped outer IPv6 header.
717
		 * Now we should requeue decrypted packet via netisr.
718
		 */
719
		switch (prot) {
720
#ifdef INET
721
		case IPPROTO_IPIP:
722
			isr_prot = NETISR_IP;
723
			break;
724
#endif
725
		case IPPROTO_IPV6:
726
			isr_prot = NETISR_IPV6;
727
			break;
728
		default:
729
			DPRINTF(("%s: cannot handle inner ip proto %d\n",
730
			    __func__, prot));
731
			IPSEC_ISTAT(sproto, nopf);
732
			error = EPFNOSUPPORT;
733
			goto bad;
734
		}
735
		/* Handle virtual tunneling interfaces */
736
		if (saidx->mode == IPSEC_MODE_TUNNEL)
737
			error = ipsec_if_input(m, sav, af);
738
		if (error == 0) {
739
			error = netisr_queue_src(isr_prot,
740
			    (uintptr_t)sav->spi, m);
741
			if (error) {
742
				IPSEC_ISTAT(sproto, qfull);
743
				DPRINTF(("%s: queue full; proto %u packet"
744
				    " dropped\n", __func__, sproto));
745
			}
746
		}
747
		NET_EPOCH_EXIT(et);
748
		key_freesav(&sav);
749
		return (error);
750
	}
751
	/*
752
	 * See the end of ip6_input for this logic.
753
	 * IPPROTO_IPV[46] case will be processed just like other ones
754
	 */
755
	nest = 0;
756
	nxt = nxt8;
757
	while (nxt != IPPROTO_DONE) {
758
		if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) {
759
			IP6STAT_INC(ip6s_toomanyhdr);
760
			error = EINVAL;
761
			goto bad;
762
		}
763

764
		/*
765
		 * Protection against faulty packet - there should be
766
		 * more sanity checks in header chain processing.
767
		 */
768
		if (m->m_pkthdr.len < skip) {
769
			IP6STAT_INC(ip6s_tooshort);
770
			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
771
			error = EINVAL;
772
			goto bad;
773
		}
774
		/*
775
		 * Enforce IPsec policy checking if we are seeing last header.
776
		 * note that we do not visit this with protocols with pcb layer
777
		 * code - like udp/tcp/raw ip.
778
		 */
779
		if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) {
780
			error = EINVAL;
781
			goto bad;
782
		}
783
		nxt = ip6_protox[nxt](&m, &skip, nxt);
784
	}
785
	NET_EPOCH_EXIT(et);
786
	key_freesav(&sav);
787
	return (0);
788
bad:
789
	NET_EPOCH_EXIT(et);
790
	key_freesav(&sav);
791
	if (m)
792
		m_freem(m);
793
	return (error);
794
}
795
#endif /* INET6 */
796

797